Vulnerability analysis of HD photo image viewer applications

Download
Author
Juan, Clifford C.
Date
2007-09Advisor
Michael, James Bret
Second Reader
Eagle, Christopher S.
Metadata
Show full item recordAbstract
The introduction of Microsoft's new graphics file format, Windows Media Photo, into the mainstream market in 2006 has been one of the most interesting developments in the digital world. The file format, which has since been renamed to HD Photo in November of 2006, is being touted as the successor to the ubiquitous JPEG image format, as well as the eventual de facto standard in the digital photography market. With massive efforts already underway to increase the software support of this file format, to make available support for digital camera makers to incorporate it into their products, and to propose the file format to the Joint Photography Experts Group in order to make HD Photo as a standard itself, HD Photo is poised to become as widespread as any of the common image file formats today. This provides the motivation into studying whether the HD Photo file format can be used as a vehicle to compromise a user s system. This work addresses the security of handling the HD Photo file format as it pertains to image viewer applications. Whenever an application is updated to accommodate a new file format, it is possible that the application in question can be vulnerable to exploitation. This is a concern, especially if a malformed instance of that file format can make the application to deviate from its specified behavior and cause the execution of arbitrary code. This thesis investigates if some of the existing applications today that render image files are susceptible to compromise by opening a malformed HD Photo image file. The goal of this thesis is to test the security of various image viewer applications compatible with the HD Photo file format. We modified MiniFuzz, an automated fuzzing tool, to conduct mutation-based smart fuzzing and generation-based fuzzing. The test instrumentation worked correctly, but the test cases did not reveal any security vulnerabilities.
Collections
Related items
Showing items related by title, author, creator and subject.
-
Low-cost ground sensor network for intrusion detection
Hoon, Dingyao; Foo, Yueng Hao Kenneth (Monterey, California: Naval Postgraduate School, 2017-09);Perimeter surveillance of forward operating locations, such as Forward Arming and Refueling Points (FARPs), is crucial to ensure the survivability of personnel and materiel. FARPs are frequently located well outside the ... -
Context-Based Mobile Security Enclave
Carter, Joey C. (Monterey, California. Naval Postgraduate School, 2012-09);Currently, there are no secure access control methods of controlling restricted material access on a mobile device using context-based authentication methods. Simple challenge/response protocols do not provide the security ... -
Cloud computing in support of synchronized disaster response operations
Kelly, Shawn M.; Mazyck, Corey A. (Monterey, California. Naval Postgraduate School, 2010-09);During disaster response, key resources are supplied from a variety of channels including: government agencies, volunteer organizations, commercial businesses, educational institutions and others. While many of the entities ...